I've made some changes based on the feedback in this thread: http://github.com/simonw/django/commit/802952bbb8b763e65ee545c6a8f39524b20e147c "Use sha('signer' + secret_key + salt) to derive the key for use in the signature() method, addressing feedback from the django-developers list"
The default signature() method now looks like this: def signature(self, value, salt=''): # Derive a new key from the SECRET_KEY, using the optional salt key = sha_constructor('signer' + self.key + salt).hexdigest() return base64_hmac(value, key) The secret key (self.key here) is now never used directly. Instead, a sha1 hash of the salt 'signer' plus the secret key plus any additional salt is used as the key for the signature. sha1 is used here as protection against weird key length extension attacks (like the one that affected the Flickr API recently). http://github.com/simonw/django/commit/4ed44c2bce5000d6c78c3a26b84d08f636b3589c "RAISE_ERROR now capitalised to emphasize that it is a constant" http://github.com/simonw/django/commit/20f3a693b99ec6af0f91eecb31046e8a07dc7151 "Signed cookies now automatically include the name of the cookie as part of the salt" http://github.com/simonw/django/commit/68c52f0b995447d93bce1db486b23a27b918da73 "Moved get_cookie_signer in to utils.signed" New patch is attached to the ticket. Is there anything else I need to address before checking it in? http://code.djangoproject.com/ticket/12417 Cheers, Simon -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.